Well, technically, I don't think IPA needs DNS entries simply for 
synchronization, so you could technically give it the same domain suffix. 
However, if you plan on using it for the purpose of clients to connect, it will 
need to be on its own domain. 
The reason it is highly suggested for different domains to have different 
suffixes within DNS is because clients will 'dig' that domain for Kerberos and 
LDAP type records when looking for domain servers. Something like the below, 
for example:
  # dig -t SRV _kerberos._tcp.EXAMPLE.COM.
If this returns both AD /and/ IPA servers, your clients will have a bad time. 
Sent via carrier pigeons

-------- Original message --------
From: Striker Leggette via FreeIPA-users <freeipa-users@lists.fedorahosted.org> 
Date: 6/14/17  8:12 PM  (GMT-05:00) 
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> 
Cc: Striker Leggette <stri...@terranforge.com> 
Subject: [Freeipa-users] Re: FreeIPA - Active Directory integration and domain 
names 


    
Yes


Sent via carrier pigeons

-------- Original message --------
From: bogusmaster--- via FreeIPA-users <freeipa-users@lists.fedorahosted.org> 
Date: 6/14/17  6:06 AM  (GMT-05:00) 
To: freeipa-us...@redhat.com 
Cc: bogusmas...@o2.pl 
Subject: [Freeipa-users] FreeIPA - Active Directory integration and domain 
names 

Hi,

I have a question regarding establishing one-way trust between FreeIPA 
and Active Directory. In the documentation it is stated that to use a 
cross-forest trust it is required for FreeIPA to have a different domain 
than that of Active Directory. Does it also apply to the synchronization 
scenario?

Thank you

Bart
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to